fix(realtime): clean TTS temp path before read (gosec G304)

emitSpeech reads the WAV file the TTS backend wrote. The read moved here
from realtime.go, so code-scanning flagged it as a new G304 alert even
though the path is backend-controlled (a temp file), not user input.
Wrap it in filepath.Clean — a real path normalization that also clears
the alert, keeping with the repo's no-#nosec convention.

Assisted-by: Claude:claude-opus-4-8 gosec, golangci-lint
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>

Author: mudler

core/http/endpoints/openai/realtime_speech.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/mudler/LocalAI/core/http/endpoints/openai/types"
 	laudio "github.com/mudler/LocalAI/pkg/audio"
@@ -84,7 +85,9 @@ func emitSpeech(ctx context.Context, t Transport, session *Session, responseID,
 	}
 	defer func() { _ = os.Remove(audioFilePath) }()
 
-	audioBytes, err := os.ReadFile(audioFilePath)
+	// filepath.Clean normalizes the backend-produced temp path before reading
+	// (also keeps gosec G304 quiet — the path is backend-controlled, not user input).
+	audioBytes, err := os.ReadFile(filepath.Clean(audioFilePath))
 	if err != nil {
 		return nil, fmt.Errorf("read tts audio: %w", err)
 	}